FR2991796A1 - METHOD OF SAVING DATA OUTSIDE A SECURE MICROCIRCUIT - Google Patents

Abstract

The invention relates to a method for managing the memory of a secure microcircuit (SE), comprising steps performed by the microcircuit consisting of: forming a data block (BLi) with executable code and / or data stored in a memory volatile memory (MEM2) of the microcircuit, and to save on the outside of the microcircuit, calculate a signature (SGi) of the data block with the aid of a first signature key, insert the calculated signature of the data block into a block of signatures (BLS), obtain a current value of a non-volatile counter (CNT) internal to the microcircuit, calculate a signature (SGG) of the signature block associated with the current value of the internal counter, using a second signature key, and transmit outside the microcircuit, the data block, the signature block and the signature block signature.

Description

BACKGROUND OF THE INVENTION The present invention generally relates to secure microcircuits such as those integrated in smart cards, and portable objects such as mobile phones, tablets and laptops. , integrating such smart cards.

The present invention applies in particular to smart cards for securing sensitive transactions such as payment transactions or access to a service, contact or remote, for example Near Field Communication (NFC) or Bluetooth . Microcircuits generally comprise a processor and a non-volatile rewritable memory for storing in particular the program executed by the processor and data to be kept between two transactions. This non-volatile memory, generally of the EEPROM or Flash type, is relatively expensive to manufacture compared to the processor and occupies a large area of the microcircuit or involves specific manufacturing techniques. It may therefore be desirable to propose a microcircuit without a rewritable non-volatile memory or with such a nonvolatile memory, but of low capacity, that is to say insufficient to store therein the operating system executed. by the microcircuit processor, and data to be retained when the microcircuit is de-energized. The programs and data to be stored can be stored outside the microcircuit, for example in a non-volatile memory of the device in which the microcircuit is integrated. When the microcircuit is powered up, the programs and data stored outside the microcircuit can be loaded into a volatile memory of the microcircuit. However, backing up programs and data outside the microcircuit raises issues, including security issues. Indeed, smart card microcircuits can memorize secret data such as identifiers and encryption keys. Moreover, in certain sensitive applications such as payment applications or access control applications for a paid service, the programs executed by these microcircuits are generally certified by approved organizations. The external memory where the programs and data to be backed up would be stored not being necessarily secured or connected to the microcircuit via a secure link, it may therefore be necessary to ensure the confidentiality and / or integrity of the data and programs saved. outside the microcircuit. For this purpose, it may be provided to encrypt and / or sign programs and data to be saved before transmitting them outside the microcircuit. The processor must therefore have a secret encryption key. In the absence of nonvolatile memory, this secret key can not be kept by the microcircuit if it is turned off, in order to decrypt programs and data received or verify signatures. This solution also raises security problems, especially when it involves controlling or limiting a number of operations authorized to be executed by the microcircuit. This problem arises when the microcircuit should only be able to execute a limited number of transactions for example in the context of payment applications or access control to a place or a service (for example downloading games or music ). Indeed, if the transaction data are stored outside the microcircuit, even in encrypted form, a so-called "replay" attack may consist in replacing a last block of encrypted data with an older block of encrypted data transmitted by the microcircuit. In the absence of rewritable nonvolatile memory, the microcircuit can not determine if a received block of encrypted data corresponds to the last block of data that it has sent to be saved in external nonvolatile memory, or to an older block . Moreover, the volatile memories provided in the microcircuits may have a large capacity. The backup of all volatile memory may therefore require the immobilization of the microcircuit for a significant period. This duration can be further increased if the backup is interrupted before it finishes and must be run again. This duration can also affect the comfort of use of the microcircuit. It can therefore hardly be possible to save all the volatile memory before each power off of the microcircuit or worse, each time the content of this memory is changed. It may therefore be desirable to propose a microcircuit in which the rewritable non-volatile memory, which may notably be of Flash, EEPROM, MRAM (Magnetic RAM) type, and battery-backed RAM, is deleted and replaced by a programmable nonvolatile memory. only one time (OTP One Time Programmable), or is limited to a low capacity, insufficient to store the program or programs executed by the microcircuit and data to be kept between two sessions of use of the microcircuit. It may also be desirable that this deletion or limitation of the rewritable non-volatile memory does not affect the security of the microcircuit. It may also be desirable not to have to save the entire contents of the volatile memory at one time to the outside of the microcircuit.

Embodiments relate to a method for managing the memory of a secure microcircuit, comprising steps performed by the microcircuit consisting in: forming a data block with executable code and / or data stored in a memory of the microcircuit, and to save on the outside of the microcircuit, to calculate a signature of the data block with the aid of a first signature key, to insert the calculated signature of the data block into a signature block, to obtain a current value of a counter non-volatile internal microcircuit, calculate a signature of the signature block associated with the current value of the internal counter, using a second signature key, and transmit outside the microcircuit, the data block, the block of signatures and signature of the signature block. According to one embodiment, the method comprises steps performed by the microcircuit consisting in: issuing a request for a block of signatures, receiving in response a block of signatures accompanied by a signature, calculating a signature of the block of signatures associated with the current value of the internal counter, using the second signature key, and if the calculated signature corresponds to the received signature: forming a data block with executable code and / or data stored in the volatile memory of the microcircuit , and to save outside the microcircuit, calculate a signature of the data block, using the first signature key, insert the calculated signature of the data block into the signature block, modify the current value of the counter internally, calculate a new signature of the signature block associated with the new value of the internal counter, using the second signature key, and transmit to the outside of the microcircuit, the block of data, the block of signatures and the new signature of the block of signatures. According to one embodiment, the method comprises the steps of: if the computed signature of the signature block corresponds to the received signature: sending a request for a block of data saved outside the microcircuit, receiving in response the block required data, calculate a signature of the received data block, using the first signature key, and if the calculated signature of the data block corresponds to a signature of the data block in the signature block, load the data block in the volatile memory of the microcircuit.

According to one embodiment, the method comprises a step of cutting the volatile memory of the microcircuit into data blocks that can be saved outside the microcircuit, in association with a signature of the data block, saved in the signature block. According to one embodiment, the first and second signature keys are read from a nonvolatile memory of the microcircuit or regenerated from a secret datum provided by a circuit of the microcircuit. According to one embodiment, the first and second signature keys are identical.

According to one embodiment, the method comprises a step of encrypting a block of data or the signature block, using an encryption key, before issuing it outside the microcircuit. According to one embodiment, the encryption key is identical to the first or the second signature key.

According to one embodiment, each block is signed and / or encrypted with a signature or encryption key distinct from the signature and / or encryption keys used for the other blocks. According to one embodiment, each signature key is generated from a secret data obtained by a non-reproducible, substantially deterministic, non-invertible and characteristic function of the microcircuit, which combined with an error correction function or a function of averaging, always provides the same secret data. According to one embodiment, the generation of each signature key comprises the steps of: generating random data and error correction data from the random data, generating the signature key from the random data, obtain a first secret datum from a non-reproducible, substantially deterministic, non-invertible and characteristic function of the microcircuit, and combine by a first invertible logic function the first secret datum and the random datum, to obtain an exportable datum to the external of the microcircuit, the regeneration of each signature key comprising steps of: obtaining a second secret data from the characteristic function of the microcircuit, and combining by a second inverse logic function of the first logic function, the second secret data item 15 and the exportable data, apply to the result of the second form logic a error correction process using the error correction data, to obtain the random data, and generate the signature key from the random data. According to one embodiment, the generation of each signature key comprises the steps of: obtaining a third secret datum from the characteristic function of the microcircuit, and combining by the first logical function, the third secret datum and the datum of error correction, to obtain a second exportable data, the regeneration of each signature key comprising the steps of: obtaining a fourth secret data from the characteristic function of the microcircuit, and combining by the second logical function, the fourth secret data and the second exportable data, to obtain an error correction data which is used by the error correction processing, to obtain the random data. According to one embodiment, the method comprises a step of modifying bits in the secret data provided by the characteristic function of the microcircuit, by insertion of random bits or inversion of bits in the secret data, bit changes in the secret data. having a range such that they can be corrected by the error correction function.

Embodiments also relate to a microcircuit comprising a processor and a volatile memory in which a program executed by the processor is stored, the microcircuit being configured to implement the method as previously defined.

According to one embodiment, the microcircuit comprises a non-volatile rewritable storage capacity that is insufficient to store the programs or the operating system executed by the microcircuit. According to one embodiment, the microcircuit comprises a circuit implementing a non-reproducible function, substantially deterministic, non-invertible and characteristic of the microcircuit. Exemplary embodiments of the invention will be described in the following, without limitation in connection with the accompanying figures in which: Figure 1 shows schematically a portable device comprising a secure microcircuit, Figures 2 and 3 schematically show circuits FIG. 4 represents a data structure, according to one embodiment, FIGS. 5 and 6 represent steps executed during the execution of a program by the secure microcircuit, and FIG. switching on the microcircuit, according to embodiments, FIGS. 7 and 8 schematically represent circuits for generating the same secret data that can serve as a cryptographic key or as a master key for generating cryptographic keys, FIG. circuit of the microcircuit according to one embodiment. FIG. 1 represents a portable device HD, such as a mobile phone equipped with a near-field communication interface. The HD device comprises, for example, a main processor BBP, also called a "baseband processor", a RCT radio circuit connected to the BBP processor, and a secure microcircuit SE connected to the processor BBP. The chip SE can be UICC type ("Universal Integrated Circuit Card"), for example mini-SIM type, 35 micro-SIM or micro-SD.

The portable device HD may for example be of the NFC near field type, equipped with a near-field communication interface. Thus, the portable device may also comprise an NFC controller, referenced NFCC, which is connected to the processor BBP by a link B2, an antenna circuit AC1 connected to the controller NFCC. The chip SE can be connected to the controller NFCC by a link B3. The chip SE may be configured to perform NFC transactions with a transaction terminal (not shown) via the NFCC controller. The NFCC controller comprises a contactless communication interface 10 CLF connected to the antenna circuit AC1. The controller NFCC can be in the form of an integrated circuit, such as MicroRead0 marketed by the Applicant. The HD device may also comprise another secure processor, for example integrated in a SIM card ("Subscriber Identity Module"), as well as a non-volatile memory card, such as a Micro SD card ("Micro Secure Digital Card" ). The chip SE which is for example integrated in a card, can be connected to the processor BBP by a link B1. Figure 2 shows circuits of the chip SE. The chip SE comprises a PRC processor, as well as memories MEM1, MEM2 and cryptographic calculation circuits CRYC connected to the processor PRC. The memory MEM1 is for example ROM type ("Read-Only Memory") or one-time programmable type OTP ("One Time Programmable") and the memory MEM2 is volatile, for example RAM ("Random Access Memory" type) ). According to one embodiment, the chip SE comprises a non-volatile memory MEM3 of small capacity, for example a few tens of bytes, which can be rewritable, or a programmable memory once (OTP). The OTP memories can be manufactured at a lower cost compared with a Flash 30 or EEPROM type memory, using only steps for manufacturing CMOS circuits. The memory MEM3 can also be a low-capacity RAM, powered by a dedicated miniaturized battery, when the microcircuit is no longer powered by an external supply voltage source, for example that of the device HD. The battery is recharged when the microcircuit is connected to an external supply voltage source. Here "low capacity" means insufficient capacity to back up the program or the operating system executed by the PRC processor. Memory MEM3 is used to save the value of a counter. FIG. 3 represents a chip SE1 according to another embodiment. The microcircuit SE1 differs from the microcircuit SE in that it does not include nonvolatile memory, but a counter realized by a CNC wired logic circuit and an IFC circuit for generating the same secret data each time the chip SE1 is powered up. . This secret data may be used as an encryption key or to generate such a key. The CNC circuit can be powered by a dedicated miniature battery BT. The BT battery is recharged when the microcircuit is connected to an external supply voltage source. Of course, the chip SE (FIG. 2) may also comprise a circuit such as the IFC circuit for generating secret data that may be used as an encryption key or to generate such an encryption key. According to one embodiment, one or more programs executed by the microcircuit SE, SE1 and data manipulated by these programs, stored in the memory MEM2, are saved in a non-volatile external memory, for example an LM memory connected to the processor BBP. . FIG. 4 represents a data structure in the memory LM in which the programs and data stored in the memory MEM2 of the microcircuit SE, SE1 are saved. In Fig. 4, the data structure comprises BL1, BL2, BLn and BLS blocks and a SGG signature of the BLS block. The block BLS includes a signature SG1, SG2, SGn of each of the blocks BL1-BLn. FIG. 5 represents steps executed by the secure microcircuit SE, SE1, previously put into communication with an external storage memory, for example the memory LM accessible via the processor BBP. These steps 30 are executed by the chip SE, SE1 to save in the memory LM, a block BLi being in the memory MEM2. At a step S1, the chip SE, SE1 sends a read request from the block BLS and the signature SGG of the block BLS, to the processor BBP. In a step S2, the processor BBP reads the required information into the memory LM. At step S3, the processor BBP transmits to the chip SE, SE1, the block BLS and the signature SGG in the memory LM. At a step S4, the microcircuit SE, SE1 calculates a signature of the BLS block received, concatenated with the value of the counter CNT read in the memory MEM3 or supplied by the CNC circuit. This signature is calculated using a secret key K, for example stored in the memory MEM3 of the chip SE, or generated using the IFC circuit of the chip SE1. At a step S5, the microcircuit SE, SE1 compares the signature SGG 'obtained in step S4 with the signature SGG received in step S3. The microcircuit SE, SE1 then executes steps S6 to S10 only if the signature SGG 'corresponds to the signature SGG. In step S6, the chip SE, SE1 calculates with the key K a signature SGi block BLi to save. In step S7, the microcircuit SE, SE1 updates the block BLS by inserting the signature SGi obtained at the location of the signature of the block BLi. In step S8, the microcircuit increments the value of the counter CNT stored in the memory MEM3 or by the CNC circuit. In step S9, the microcircuit SE, SE1 calculates the SGG signature of the BLS block applied to the BLS block as updated in step S7, concatenated with the new value of the counter CNT obtained in step S8. In step S10, the microcircuit SE, SE1 transmits the blocks BLi and BLS and the signature SGG to the processor BBP. In step S11, the processor BBP receives this data and saves it in the memory LM, possibly replacing the blocks BLi, BLS and signature SGG that were stored therein. During a first backup of a first block BLi in the memory LM, only steps S6, S7 and S9 to S11 are executed. The value of the counter CNT may be zero if the microcircuit executes for the first time step S8. In this way, the chip SE, SE1 can exploit nonvolatile external memory, such as that of a mobile phone, which is sometimes large capacity and largely unused. It should be noted that the microcircuit SE, SE1 can have direct access to a non-volatile memory external to the microcircuit. In this case, the steps S1 and 59 consist in the transmission of read and write requests from this external memory. According to one embodiment, the size of the BLi blocks is defined according to the physical or logical organization of the memory LM or the memory MEM2. Thus the size of each block BLi can correspond to the size of a page or a physical or logical sector of the memory LM or MEM2. According to another embodiment, the size of the BLi blocks is defined according to the organization of the programs and data in the memory MEM2. Thus, a BLi block may comprise all or part of the program and data of an application installed in the microcircuit. The division into BU blocks of the programs and data stored in the memory MEM2 can also be determined in order to reduce as much as possible the operations of saving and restoring a block in the memory 10 MEM2 from the memory LM. FIG. 6 represents steps executed by the chip SE, SE1 for loading in the memory MEM2, a block of data BLi stored in the external memory LM. These steps are executed for example when the microcircuit is turned on, or when an application stored in the block BLi must be executed. Indeed, it can be expected that upon power up, the chip SE, SE1 sends a load request of the first block BL1 which contains the operating system of the PRO processor or a first part of this operating system, and that the program in block BL1 makes it possible to determine which block BLi must also be loaded, according to an application to be executed. At a step S21, the chip SE, SE1 regenerates the key K using the IFC circuit or reads it in the memory MEM3. At a step S22, the chip SE, SE1 sends a read request of the block BLS and the signature SGG. At a step S23, this request is received and executed by the BBP processor which reads the required block into the memory LM. At a step S24, the processor BBP transmits in response the block BLS and the signature SGG. These data are received by the chip SE, SE1 at a step S25. In a step S26, the chip SE, SE1 calculates, using the key K, a signature SGG 'of the block BLS concatenated with the current value of a counter ONT read in the memory MEM3 or supplied by the CNC circuit. If the memory MEM3 is of OTP type, the ONT counter can be implemented by managing this memory in the manner of an abacus, by changing the state of a bit of the memory each time the value of the counter ONT must be modified. In a step S27, the chip SE, SE1 compares the calculated signature SGG 'with the signature SGG received in step S24. The microcircuit SE, SE1 then executes steps S28 to S33 only if the signature SGG 'corresponds to the signature SGG. In step S28, the chip SE, SE1 sends a request for a block BLi. At a step S29, this request is received and executed by the processor BBP which reads the required block in the memory LM. In step S30, the processor BBP transmits in response the block BLi. In step S31, the chip SE, SE1 receives the block BLi and calculates a signature SGi 'of the block BLi using the key K. In step S32, the chip SE, SE1 compares the calculated signature SGi' with the SGi signature of the BLi block in the BLS block. The chip SE, SE1 then executes step S33 only if the signatures SGi and SGi 'correspond. In step S33, the chip SE, SE1 loads in the memory MEM2. If the block BLi thus loaded comprises a program Pgm, the chip SE, SE1 executes this program. If other blocks BL1-BLn are required, the microcircuit can repeat steps S28 and S31 to S32 to load the missing blocks into memory MEM2 before executing step S33. In this way, if a block BLi is replaced by an old version of this block, its signature will not correspond to that which appears in the block BLS. On the other hand, if the block BLS is modified by inserting the signature of the old block BLi, it is not possible to generate the signature SGG corresponding to the block BLS thus modified without knowing the key K and having total control over the ONT counter value. It is therefore sufficient to prevent the key K from being accessible from outside the microcircuit, or the counter can be forced to a previous value, to protect the microcircuit against what is called the "replay" of an old BLi program and / or data block that is authentic but is not the last block saved by the chip SE. It should be noted that the different ONT counter values used to calculate the SGG signature are not necessarily consecutive, neither increasing nor decreasing. It is simply important that the ONT value be changed each time a new SGG signature is computed. The key K used to calculate the SGG signature of the block BLS may be different from that used to calculate the signatures SG1-SGn blocks BL1-BLn. Similarly, each block BL1-BLn can be signed with a different key from those used to sign the other blocks BL1-BLn. Moreover, blocks BL1-BLn and BLS can be encrypted before being transmitted outside the chip SE, SE1. The blocks BL1-BLn and BLS received by the microcircuit are then decrypted by the latter before the programs and data they contain are installed in the memory MEM2. The key used to encrypt blocks BL1-BLn and BLS may be different than the key (s) used to calculate SGG signatures, SG1-SGn. Likewise, each block BLi can be encrypted with a key of its own. Signature calculations and ciphers can be done using the CRYC circuit. The memory MEM2 can be divided into blocks BLi, each block being associated with a modification indicator specifying whether the block has been modified since the last block was saved in the memory LM, or since the last loading of the block from the memory LM. The modification indicators of the BLi blocks are updated each time they are written in the memory MEM2. At certain stages, for example at the end of the execution of an application by the microcircuit, the latter successively reads the modification indicators and executes the steps S1 to S11 for each block BLi associated with a modification indicator indicating that the block was modified. The key K can be generated from an irreversible function H applied to a first number stored in the memory MEM1 or MEM3. This number may be for example an identifier of the microcircuit, such as a serial number. The key K can be generated during the execution of the program stored in the memory MEM1. The irreversible function can be a hash function such as MD5, SHA1 or SHA256. If several keys are needed, for example to sign the block BLS on the one hand and on the other hand, each block BL1-BLn, or to encrypt these blocks, each key Ki can be generated by applying one or the other other of the following formulas: Ki = H (k / i), or (1) Ki = H ((Ki-1) / i), (2) in which H is an irreversible function such as a hash function or a function PUF, i is a number which is modified, for example incremented, at each key generation from a predefined initial value, k / i represents a first number k concatenated with the number i, and Ki-1 is a key generated from the number i-1, the key K1 being equal to H (k / 1). The first number k can be chosen equal to the number RND in FIGS. 7 and 8.

A series of keys can thus be generated deterministically, if the first number chosen k is always the same, for example the key K, and if the series of numbers i chosen is always the same for a given microcircuit. Sets of derived keys can also be generated from a key Ki, and by reusing the series of numbers i, by applying the irreversible function to each of the numbers of the series of numbers i, concatenated with the key Ki. According to another embodiment, secret keys can also be generated by applying to a first number a first irreversible function H1 to obtain a key root number, and by applying to this number, a second irreversible function H2. Several secret keys can be generated by successively applying the function H1 to each result previously provided by this function to obtain a series of derived key root numbers, and applying the function H2 to each derived key root number thus obtained. Here again the first selected number k can always be the same, as the key K, to always generate the same set of keys Ki. Thus, a series of keys Ki can be generated by applying the following equations: Si = H1 (Si-1), and (3) Ki = H2 (Si) (4) with S1 = H1 (k), S1 and Si being respectively the root numbers of keys K1 and Ki. One and / or the other of the functions H1 and H2 may be a PUF function implemented by the IFC circuit. The first number Si can be chosen equal to the number RND in FIGS. 7 and 8 or to the result of the function H1 applied to the number RND. According to one embodiment, the IFC circuit comprises a circuit that is physically non-reproducible, implementing a physically irretrievable, irreversible function PUF ("Physically Unclonable Function") whose operation is essentially unpredictable and non-determinable. Such a function can therefore be used for microcircuit identification purposes or to generate secret data that can be used as a key K or to generate the key K. The PUF functions are for example made by a circuit responsive to the manufacturing conditions. of the circuit, so that the PUF respective functions of two microcircuits have a very low probability of providing an identical result, even if the two microcircuits are from the same production line. The PUF function is therefore a one-way function equivalent to a hash function such as SHA1, but characteristic of each microcircuit. The IFC circuit is used to generate one or more signing or encryption keys. Figure 7 shows the IFC circuit, according to one embodiment. The IFC circuit includes PUC, IFC1 and IFC2 circuits. The circuit PUC implements an irreversible function physically non-reproducible PUF ("Physically Unclonable Function") whose operation is essentially unpredictable and not determinable. The PUC circuit has the particularity of being physically non-reproducible. The IFC1 circuit is activated during commissioning of the microcircuit and whenever the circuit must be reset in particular to generate a new key K to be used to sign blocks BLi, BLS. The IFC2 circuit is activated each time the microcircuit is powered up to regenerate the key K which was previously used to sign the BU blocks, BLS saved in the memory LM. The IFC1 circuit comprises an exclusive OR XG1 logic operator and a ECC1 error correction data generation circuit.

The operator XG1 is connected at the output of the circuit PUC and a random number generation circuit RNGN and provides an EXT data which is therefore equal to PN 0 RND, PN being the data supplied by the circuit PUC, RND being a number random provided by the RNGN circuit and "e" representing the exclusive OR operator. The RND and PN data are therefore the same size in number of bits. The circuit ECC1 receives the random number RND and provides ECW error correction data. The IFC2 circuit comprises an XG2 Exclusive OR logic operator and an ECC2 error correction circuit. The operator XG2 receives the data EXT which has been transmitted to the chip SE, as well as data PN '30 coming from the circuit PUC. Given the properties of the circuit PUC, the PN 'data is supposed to be identical or close to the PN data that was produced during commissioning of the chip SE. Here "near" means identical to a bit number less than half the number of bits of PN, PN 'data. The operator XG2 provides a resultant data RND 'to the ECC2 circuit 35 which furthermore receives the ECW data which has been transmitted to the microcircuit SE.

Thus, the data RND 'is equal to PN' EXT. The circuit ECC2 corrects the data RND 'and thus restores the data RND. Note that if the data PN and PN 'are identical, the operator XG2 directly supplies the RND data, and the ECC2 circuit detects no error to correct and therefore also provides the data RND. The ECC1 and ECC2 circuits can implement various error correction algorithms such as BCH, Reed Solomon, or those based on the use of the Hamming or Gray codes. In the example of FIGS. 5 and 6, the data EXT and ECW are saved in the memory LM as a result of their generation, for example with the signature SGG in step S11. The data EXT and ECW are also transmitted in steps S3 and S24 to the microcircuit to allow the latter to regenerate the key K, from the secret data RND.

Some error correction algorithms use error correction data which can be exploited alone to recover the value of the data to be corrected. However, the ECW data is transmitted outside the chip SE1. In order for the RND data to be kept secret regardless of the error correction algorithm used, the IFC circuit may be modified according to that shown in FIG. 8. According to another embodiment, the IFC circuit shown in FIG. 8 differs from the IFC circuit in that it includes IFC1 ', IFC2' circuits different from the IFC1, IFC2 circuits. The IFC1 'circuit includes exclusive OR XG3, XG4 logic operators and the ECC1 circuit. The operator XG3 receives a portion PN1 of the PN data generated by the circuit PUC and the random data RND, the portion PN1 being of the size of the data RND. The operator XG3 provides an EXT1 data. The circuit ECC1 provides ECW error correction data from the RND data. The operator XG4 receives another PN2 part of the PN data and the ECW data.

The operator XG4 provides an EXT2 data which is concatenated with the data EXT1 to form the data EXT. The data PN1, RND and EXT1 therefore have the same size in number of bits. Similarly, the PN2 and ECW data have the same size. In this way, the ECW data is transformed into the data EXT2 before being transmitted outside the chip SE.

The circuit IFC2 'differs from the circuit IFC2 in that the operator XG2 provides both the data RND' and an error correction data ECW 'from the data EXT and the data PN' supplied by the circuit PUC . As in the IFC2 circuit, the ECC2 provides the RND data from the RND 'and ECW' data. Although the ECW and ECW 'data may be different, they are not very different considering the properties of the PUF function implemented by the PUC circuit. It is therefore likely that the number RND which is provided by the circuit ECC2 is close to that which was generated during the activation of the circuit IFC1 'at the commissioning of the microcircuit 10 SE1, the term "close" having the meaning previously defined. It goes without saying that the functions implemented by the circuits shown in FIGS. 7 and 8 can also be implemented in software form by a sequence of instructions executable by the processor PRO. It is also obvious that any other invertible logic function than the Exclusive OR function can be employed. Thus any pair of logical functions (F1, F2) can be used in place of the Exclusive OR function (for F1 and F2), provided that any pair of data (x, y) and for any PN data are satisfied. , the following relations: y = F1 (x, PN), and x = F2 (y, PN). (5) The key K may be chosen equal to or derived from the RND data, for example using an irreversible function such as a hash function such as MD5 and SHA-1, or by applying the equations (1), (2) or (3) and (4). In this way, it is not necessary to provide a non-volatile memory in the microcircuit to store the key K.

Some non-reproducible circuits implementing a PUF function may be susceptible to fault injection attacks. Indeed, to give some stability to the data provided by such a circuit, this data can be processed by an error correction circuit. By forcing a bit at 0 at the output of the non-reproducible circuit, for example by means of a laser beam, and observing the reaction of the error correction circuit, it is possible to determine whether an error has been corrected or whether no errors have been corrected. Depending on whether a reaction is observed or not, it is possible to deduce whether the bit modified by the fault injection must be at 1 or at 0. It is therefore possible to deduce the data normally supplied at the output of the correction circuit. of error, by injecting faults on each of the output bits of the non-reproducible circuit. To ensure a certain stability of the value of the data it provides, the non-reproducible circuit can be maintained under stable conditions, in particular temperature. The discovery of the data provided by the non-reproducible circuit may allow the attacker to determine a secret datum such as a cryptography key used by the microcircuit. According to one embodiment, the circuit PUC of the IFC circuit shown in FIG. 3, 7 or 8 comprises means for modifying, with each use of the circuit, a few bits of the value provided by the function PUF 10 implemented by the circuit, this is to ensure that the error correction circuit systematically corrects errors in each data provided by the non-reproducible circuit. The number of modified bits of each data item provided is less than or equal to the number of erroneous bits that the error correction circuit is able to correct.

The modified bits may be bits added to the bits provided by the PUF which are derived from a random generator. The modified bits may be bits whose polarity is inverted or forced to a certain value. The modified bits can also be randomly chosen. The introduction of modifications of the data provided by the PUF function can be done once for example at the commissioning of the microcircuit implementing the PUF function, or whenever the PUF function is activated. FIG. 9 represents the circuit PUC, and in particular the function PUF implemented by this circuit and a bit output OB of the circuit PUC, according to one embodiment. Some of the B bit output lines of the PUF function are connected to a bit OB output of the PUC circuit via an invertor INV and a multiplexer MX1. The multiplexer MX1 receives as input bit B and bit B inverted by inverter INV. The multiplexer MX1 is controlled by a random bit 11. Thus, the bit OB supplied at the output of the circuit 30 PUC corresponds either to the bit B supplied by the function PUB, or to this inverted bit as a function of the value of the random bit 11. In the example of Figure 9, if the bit 11 is 0, the B bit is output from the PUB circuit without change, if the bit 11 is 1, the B bit is reversed. According to one embodiment, all the bit output lines of the PUF function are connected to a bit output of the PUC circuit via such a circuit comprising an inverter and a multiplexer. Each multiplexer MX1 is controlled by a respective bit of a random datum RN1. The number of bits at 1 (in the example of FIG. 9) of the data RN1 is limited to the maximum number of bits of the data issuing from the function PUF, which can be modified, taking into account the error correction capabilities of the error correction circuit connected to the output of the PUC circuit. It will be apparent to those skilled in the art that the present invention is capable of various alternative embodiments and various applications.

In particular, the method according to the invention is not limited to the backup of data or programs present in a volatile memory of a microcircuit, but can also be applied to data and / or programs stored in a memory non-volatile microcircuit, especially when this memory has insufficient capacity.

It will also be clear to one skilled in the art that the various embodiments presented above are capable of various alternative embodiments and applications, and may be implemented independently of one another, or combined in various other ways. than those presented. In particular, the present invention is not limited to NFC devices and microcircuits configured to conduct NFC transactions, but can be applied to any secure microcircuit. Furthermore, the embodiments described with reference to FIGS. 7 and 8 can be implemented independently of the sequences of steps shown in FIGS. 5 and 6, in any circuit 25 using secret data, and which must be able to regenerate this data from data stored in an unsecure memory. Thus, the present application also covers, independently, a method of generating and regenerating a master key and a microcircuit implementing such a method. This method comprises the steps of: generating a random data RND and an error correction data ECW from the random data, generating a master key K from the random data, obtaining a first secret data PN, PN1 from a PUF function, non-reproducible, substantially deterministic, non-invertible and characteristic of the microcircuit, and combining by a first invertible logic function the first secret datum and the random datum, to obtain an exportable data EXT, EXT1 to the outside the microcircuit. The regeneration of the master key comprises the steps of: obtaining a second secret data PN 'from the characteristic function of the microcircuit, and combining by a second inverse logic function of the first logical function, the second secret datum and the data exportable, apply to the result RND 'of the second logical function ECC2 error correction processing using the error correction data ECW, ECW', to obtain the random data, and generate the signature key from the random data. According to one embodiment, the generation of the master key comprises the steps of: obtaining a third secret data PN2 from the function PUF characteristic of the microcircuit, and combining by the first logical function, the third secret datum and the data ECW error correction, to obtain a second exportable data EXT2, regeneration of the master key comprising the steps of: obtaining a fourth secret data PN2 'from the characteristic function of the microcircuit, and combine by the second function logic, the fourth secret data and the second exportable data, to obtain error correction data that is used by the error correction processing ECC2, to obtain the random data RND.

Of course, these features can be combined with other features previously described in this specification. Likewise, the embodiments described in particular with reference to FIG. 9 may be implemented independently of the embodiments described with reference to FIGS. 7 and 8. In particular, it may be provided to modify certain bits of a data item. provided by a function PUF in any circuit implementing such a function, since the latter is coupled to an error correction function. Conversely, the PUF function implemented in the circuit PUC is not necessarily coupled to an error correction function. Other methods can indeed be implemented in order to "stabilize the data or data provided by the PUF function, because it can be planned to activate the PUF function several times and to provide as output data the this function is an average value of all the data obtained as a result of these activations Thus, the present application also covers, independently, a method of generating a secret data in a substantially deterministic, non-invertible manner, in a microcircuit using a non-reproducible circuit characteristic of the microcircuit This method comprises steps of generating a secret datum using such a function, bit modification in the secret datum, by inserting bits. random or inversion of bits in the secret data, and application to the secret data of an error correction function, the bit changes in the secret data having a endue as they can be corrected by the error correction function. The rank of the modified bits, the value of the modified bits can be fixed or randomly selected. The number of modified bits can also be fixed or randomly chosen within the error correction capacity of the error correction function. Of course, these characteristics can be combined with other features previously described in the present description. 25

Claims (16)

REVENDICATIONS1. Method for managing the memory of a secure microcircuit (SE, SE1), comprising steps performed by the microcircuit consisting of: forming a data block (BLi) with executable code and / or data stored in a memory (MEM2 , MEM3) of the microcircuit, and to save on the outside of the microcircuit, calculate a signature (SGi) of the data block with the aid of a first signature key, insert the calculated signature of the data block into a block of data. signatures (BLS), obtain a current value of a non-volatile counter (CNT) internal to the microcircuit, calculate a signature (SGG) of the signature block associated with the current value of the internal counter, using a second key signature, and transmit outside the microcircuit, the data block, the signature block and the signature block signature. 2. Method according to claim 1, comprising steps performed by the microcircuit consisting in: issuing a request for a signature block, receiving in response a signature block (BLS) accompanied by a signature (SGG), calculating a signature (SGG ') of the signature block associated with the current value of the internal counter (CNT), using the second signature key (K), and if the calculated signature corresponds to the received signature: forming a data block (BLi) with executable code and / or data stored in the volatile memory (MEM2) of the microcircuit, and to save on the outside of the microcircuit, calculate a signature (SGi) of the data block, using the first signature key, insert the calculated signature of the data block into the signature block, modify the current value of the internal counter, calculate a new signature of the signature block associated with the new value of the internal counter, using the s econde key signature, and transmit outside the microcircuit, the data block, the block of signatures and the new signature of the block of signatures. Method according to claim 1 or 2, comprising the steps of: if the calculated signature (SGG ') of the signature block (BLS) corresponds to the received signature (SGG): sending a request for a data block ( BLi) saved outside the microcircuit, receiving in response the required data block, calculating a signature (SGi) of the received data block, using the first signature key, and if the calculated signature of the block of data data corresponds to a signature of the data block in the signature block (BLS), load the data block into the volatile memory (MEM2) of the microcircuit. 4. Method according to one of claims 1 to 3, comprising a step of cutting the volatile memory (MEM2) of the data block microcircuit (BL1-BLn) can be saved outside the microcircuit, in association with a signature (SG1-SGn) of the data block, saved in the signature block (BLS). 5. Method according to one of claims 1 to 4, wherein the first and second signature keys (K) are read in a non-volatile memory (MEM3) of the microcircuit or regenerated from a secret data provided by a circuit (PUC, RNGN) of the microcircuit. 6. Method according to one of claims 1 to 5, wherein the first and second signature keys (K) are identical. 7. Method according to one of claims 1 to 6, comprising a step of encrypting a data block (BLi) or the signature block (BLS), using an encryption key, before the emit on the outside of the microcircuit. The method of claim 7, wherein the encryption key is the same as the first or second signature key. 9. Method according to one of claims 1 to 8, wherein each block (BLi, BLS) is signed and / or encrypted with a signature or encryption key distinct from the signature and / or encryption keys used for the others. blocks. 10. Method according to one of claims 1 to 9, wherein each signature key (Ki) is generated from a secret data obtained by a function (PUF) non-reproducible, substantially deterministic, non-invertible and characteristic of the microcircuit , which combined with an error correction function or an averaging function, always provides the same secret data. The method according to one of claims 1 to 10, wherein the generation of each signature key comprises steps of: generating random data (RND) and error correction data (ECW) from the random data, generating the signature key (K) from the random data, obtaining a first secret data (PN, PN1) from a non-reproducible, substantially deterministic, non-invertible function (PUF) characteristic of the microcircuit, and combining by a first invertible logic function the first secret data and the random data, to obtain an exportable data (EXT, EXT1) outside the microcircuit, the regeneration of each signature key comprising the steps of: obtaining a second secret data (PN ') from the characteristic function of the microcircuit, etcombinant by a second inverse logic function of the first logical function, the second e secret data and the exportable data, apply to the result (RND ') of the second logic function an error correction process (ECC2) using the error correction data (ECW, ECW'), to obtain the random data , and generate the signature key from the random data. The method of claim 11, wherein the generation of each signature key (K) comprises the steps of: obtaining a third secret data (PN2) from the function (PUF) characteristic of the microcircuit, and combining by the first logical function, the third secret data and the error correction data (ECW), to obtain a second exportable data (EXT2), the regeneration of each signature key comprising the steps of: obtaining a fourth secret data (PN2) ') from the characteristic function of the microcircuit, and combine by the second logical function, the fourth secret data and the second exportable data, to obtain an error correction data which is used by the error correction process (ECC2), to obtain the random data (RND). 13. Method according to one of claims 10 to 12, comprising a step of changing bits in the secret data (PN, PN ', PN1, PN1', PN2, PN2 ') provided by the function (PUF) characteristic of the microcircuit, by inserting random bits or inverting bits in the secret data, the bit changes in the secret data having an extent such that they can be corrected by the error correction function. 14. Microcircuit comprising a processor (PRO) and a volatile memory (MEM2) in which is stored a program executed by the processor, the microcircuit being configured to implement the method 35 according to one of claims 1 to 13. 15. Microcircuit according to claim 14, comprising an insufficient rewritable non-volatile storage capacity for storing the programs or the operating system executed by the microcircuit. 16. Microcircuit according to claim 14 or 15, comprising a circuit (PUC) implementing a function (PUF) non-reproducible, substantially deterministic, non-invertible and characteristic of the microcircuit.